System Assurance

System Assurance teaches students how to use Object Management Group's (OMG) expertise and unique standards to obtain accurate knowledge about existing software and compose objective metrics for system assurance.
OMG's Assurance Ecosystem provides a common framework for discovering, integrating, analyzing, and distributing facts about existing enterprise software. Its foundation is the standard protocol for exchanging system facts, defined as the OMG Knowledge Discovery Metamodel (KDM). In addition, the Semantics of Business Vocabularies and Business Rules (SBVR) defines a standard protocol for exchanging security policy rules and assurance patterns. Using these standards together, students will learn how to leverage the knowledge of the cybersecurity community and bring automation to protect systems.
This book includes an overview of OMG Software Assurance Ecosystem protocols that integrate risk, architecture, and code analysis guided by the assurance argument. A case study illustrates the steps of the System Assurance Methodology using automated tools.
This book is recommended for technologists from a broad range of software companies and related industries; security analysts, computer systems analysts, computer software engineers-systems software, computer software engineers- applications, computer and information systems managers, network systems and data communication analysts.

- Provides end-to-end methodology for systematic, repeatable, and affordable System Assurance.

- Includes an overview of OMG Software Assurance Ecosystem protocols that integrate risk, architecture and code analysis guided by the assurance argument.

- Case Study illustrating the steps of the System Assurance Methodology using automated tools.

1;Front Cover;1 2;System AssuranceBeyond DetectingVulnerabilities;4 3;Copyright;5 4;Dedication;6 5;Contents;8 6;Foreword;14 7;Preface;16 8;Chapter 1: Why hackers know more about our systems;22 8.1;1.1. Operating In Cyberspace Involves Risks;22 8.2;1.2. Why Hackers Are Repeatedly Successful;24 8.3;1.3. What are the challenges in defending cybersystems?;25 8.4;1.4. Where Do We Go From Here?;34 8.5;1.5. Who Should Read This Book?;42 8.6;Bibliography;42 9;Chapter 2: Confidence as a product;44 9.1;2.1. Are You Confident That There Is No Black Cat In The Dark Room?;44 9.2;2.2. The Nature of Assurance;52 9.3;2.3. Overview of the assurance process;64 9.4;Bibliography;67 10;Chapter 3: How to build confidence;70 10.1;3.1. Assurance in the System Life Cycle;70 10.2;3.2. Activities of System Assurance Process;73 10.3;Bibliography;101 11;Chapter 4: Knowledge of system as an element of cybersecurity argument;102 11.1;4.1. What is System?;102 11.2;4.2. Boundaries of the System;103 11.3;4.3. Resolution of the system description;105 11.4;4.4. Conceptual Commitment for System Descriptions;106 11.5;4.5. System Architecture;108 11.6;4.6. Example of an Architecture Framework;111 11.7;4.7. Elements of a System;114 11.8;4.8. System Knowledge Involves Multiple Viewpoints;116 11.9;4.9. Concept of Operations (CONOP);119 11.10;4.10. Network Configuration;119 11.11;4.11. System Life Cycle and Assurance;121 11.12;Bibliography;130 12;Chapter 5: Knowledge of risk as an element of cybersecurity argument;132 12.1;5.1. Introduction;132 12.2;5.2. Basic Cybersecurity Elements;135 12.3;5.3. Common Vocabulary for threat identification;140 12.4;5.4. Systematic threat identification;160 12.5;5.5. Assurance Strategies;162 12.6;5.6. Assurance of the threat identification;166 12.7;Bibliography;167 13;Chapter 6: Knowledge of vulnerabilities as an element of cybersecurity argument;168 13.1;6.1. Vulnerability as a unit of Knowledge;168 13.2;6.2. Vulnerability databases;177 13.3;6.3. Vulnerability life cycle;184
13.4;6.4. NIST Security Content Automation Protocol (SCAP) Ecosystem;186 13.5;Bibliography;191 14;Chapter 7: Vulnerability patterns as a new assurance content;192 14.1;7.1. Beyond Current SCAP Ecosystem;192 14.2;7.2. Vendor-neutral vulnerability patterns;195 14.3;7.3. Software Fault Patterns;196 14.4;7.4. Example Software Fault Pattern;207 14.5;Bibliography;210 15;Chapter 8: OMG software assurance ecosystem;212 15.1;8.1. Introduction;212 15.2;8.2. OMG assurance ecosystem: toward collaborative cybersecurity;214 15.3;Bibliography;221 16;Chapter 9: Common fact model for assurance content;222 16.1;9.1. Assurance Content;222 16.2;9.2. The Objectives;224 16.3;9.3. Design Criteria for Information Exchange Protocols;225 16.4;9.4. Trade-offs;226 16.5;9.5. Information Exchange Protocols;227 16.6;9.6. The Nuts and Bolts of Fact Models;229 16.7;9.7. The Representation of Facts;241 16.8;9.8. The Common Schema;247 16.9;9.9. System Assurance Facts;248 16.10;Bibliography;252 17;Chapter 10: Linguistic models;254 17.1;10.1. Fact Models and Linguistic Models;254 17.2;10.2. Background;256 17.3;10.3. Overview of SBVR;257 17.4;10.4. How to Use SBVR;258 17.5;10.5. SBVR Vocabulary for Describing Elementary Meanings;262 17.6;10.6. SBVR Vocabulary for Describing Representations;266 17.7;10.7. SBVR Vocabulary for Describing Extensions;268 17.8;10.8. Reference schemes;268 17.9;10.9. SBVR Semantic Formulations;269 17.10;Bibliography;273 18;Chapter 11: Standard protocol for exchanging system facts;274 18.1;11.1. Background;274 18.2;11.2. Organization of the KDM Vocabulary;275 18.3;11.3. The Process of Discovering System Facts;278 18.4;11.4. Discovering the Baseline System Facts;281 18.5;11.5. Performing Architecture Analysis;313 18.6;Bibliography;321 19;Chapter 12: Case study;322 19.1;12.1. Introduction;322 19.2;12.2. Background;323 19.3;12.3. Concepts of Operations;323 19.4;12.4. Business Vocabulary and Security Policy for Clicks2Bricks in SBVR;329 19.5;12.5. Building the Integrated System Mod
el;340 19.6;12.6. Mapping Cybersecurity Facts to System Facts;348 19.7;12.7. Assurance Case;351 19.8;Bibliography;357 20;Index;358